[Pacemaker] Active-Active HA Firewall

Michael Schwartzkopff misch at clusterbau.com
Fri Oct 15 11:26:59 UTC 2010


On Friday 15 October 2010 09:47:50 Marcel Hauser wrote:
> On 14.Oct 2010 22:31, Michael Schwartzkopff wrote:
> >> i do know about fwbuilder and that it's possible to use fw builder in
> >> order to build a cluster configuration. I've also read a pdf dated in
> >> feb 2009 about ha firewalls by using heartbeat.
> > 
> > Yes, I know I should update that paper ;-)
> 
> That would be awesome! :-)

Please add two hours to my day.

> > NO cloned IP addresss in a firewall. Cloning only works in the INPUT
> > chain, not on the forward chain! So no chance for a load-balancing
> > firewall. Please make it one virtual IP address.
> 
> Thank you very much for that information... that clarifies a lot for me.
> 
> Is was somehow hoping, that this might have become possible these days.

No chance.

> > But that is no problem. firewalling is no hard job any more. A reasonable
> > machine can firewall 1 GBit/s traffic.
> 
> valid point. my only "concern" is/was that i don't like the idea of a
> passive firewall.... because when you need it to failover (maybe after 2
> years :-) ).... you may just realize that it's somehow broken too.
> 
> In an active-active like setup you basically know that both system are
> actually working as expected.

You can exercise a failover test every Tuesday 13:00 if everybody is surfing. 
Or shift the exercise to Friday 6:00

> >> - how would you guys detect a firewall failure on any node (pingd ??)...
> >> and if a failure occurs... will the crm automatically unconfigure the
> >> cloned ip's on that node ?
> > 
> > pingd to check the availability of the attached network. The cluste
> > resource manager takes care for the failover. See the "from the scratch"
> > doc.
> 
> Yes i've read that in the docs. But is this really common practice for
> firewall clusters ? i don't want the firewall to failover if i'm having
> "internal problems with internal hosts/pingable addresses"!?
> 
> otherwise i have to build an internal ping cluster ;-)

Why. Failover occures only if the reachability of pingnodes differs severly, 
i.e. one node sees three pingnodes and the other one only one. Details depend 
on your config.

> why did you choose to run conntrackd and heartbeat over a dedicated
> bonding interface in your pdf, compared to the FW builder docs which say
> to run heartbeat over every interface of the firewall, which therefore
> might enable the cluster to detect network card failures... because the
> heartbeat is not received over a given failed interface anymore ?

network card failure should be detected by the monitor of the IPaddr2 
resource. Of course your could run your corosync and conntrac traffic over the 
dedicated links.

> > Rumors say that the is a good German book about clusters from O'Reilly.
> > In the examples chapter the author exactly describes the setup you
> > mentioned. ;-)
> :
> :-).... i've seen that... but i hate reading books (no matter on what
> 
> topic)... and my learning curve is much more efficient if i learn it
> myself :-)
> 
> but thanks for the hint... any i really appreciate your and any other help!

Another hint: Just read the interesting parts of the book. Basically the 
points I explained in my mails.

Greetings,

-- 
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München

Tel: (0163) 172 50 98
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20101015/c235e144/attachment-0004.sig>


More information about the Pacemaker mailing list